11 most common mistakes that derail data classification projects
In the digital era, more information is being generated than ever before. Assigning security classification labels to your organization’s information is a highly effective practice to control flow, access and distribution. It is also economical and relatively easy to deploy and use.
Despite the simplicity of using data classifications, based on discussions with the Security Managers of our customers, we've identified eleven common mistakes organisations can make when introducing a classification project. Explore those common mistakes to help ensure your data classification initiative doesn’t derail in our latest Short Tips.
1. Too many/few classifications
Classifications or protective markings should reflect the sensitivity of your information and the likely consequences for your organization, should it fall into the wrong hands. The markings should also make sense and be easily understood for new hires or temporary staff, so the entire team will use them accurately and consistently.
If you define too many classification categories, users may struggle to decide which to use and they’ll make mistakes. If you define too few, users will make classification decisions more easily, but your system will either be under-protecting or over-protecting your data.
Most organisations, regardless of whether corporate or government, usually have three or four standard data classification levels, including: Not Work (not related to work), Not Sensitive, Confidential and Highly Confidential. This set of classifications is called a ‘schema’.
If you have categories of sensitive information that aren’t equivalent, you can add caveats or qualifiers such as Confidential – Legal or Confidential – Personal Information which will add specificity without adding complexity.
2. Complex classification
Security classification labels are helpful in alerting others to the sensitivity of information and how they should handle it. Your IT system is the same: you need to ‘teach’ it how to recognise each label and what rules apply to each, so it can apply the controls you require. Keep it simple.
Choose the technical solution that meets your requirements, rather than opting for all the extra ‘whistles and bells’ that might sound interesting but may not be practical. Remember that every increment of complexity makes the solution less likely to be used by your staff, which will decrease the ROI.
Focus on adding features tailored to your business needs, rather than on unnecessary tools for unlikely business scenarios which could waste money and time.